I found it interesting that when I search Google for Vodafone, the first articles that come up under “News for Vodafone” are about the cable company’s large acquisition in Germany. I was looking for news about Vodafone’s recent breach, which affected the personal data of two million German customers. Articles on both news events are dated over the same time period (the end of last week, most on September 12 or 13), but stories of the hack are buried. I had to do some serious digging to find them.
The Vodafone attack was an inside job, and apparently the individual responsible has been identified and is under investigation. However, some security experts have told me that this hack should be a wake-up call about the risk of insider threats (i.e., haven’t we learned anything from Edward Snowden and what insiders are capable of doing?) and whether or not attacks on a telecommunications company increases the security risks involving our mobile devices. But the most important takeaway, Matthew Standart, director of threat intelligence at HBGary, told me in an email:
Any time there is a successful breach of this magnitude, most if not all security controls have failed at the victim organization.
Kevin O’Brien, enterprise solution architect at CloudLock, echoed that thought:
What the Vodafone hack reveals is yet another example of how and why on-premises data security models have failed to keep up with an increasingly interconnected world; servers that contain critical data, such as personally identifiable information as was stolen here, should not be accessible on the public Internet.
Vodafone is warning its customers to beware of phishing attacks and to review their bank accounts. Because of the millions of Vodafone mobile customers that could be affected by this breach, the hack could affect some enterprises, if these customers also use their devices in BYOD situations. It would be wise, Standart advised, for enterprises to step up their security game as well. He provided these tips to increase security:
- Understand that the company could become an attack vector.
- Calculate the risks of this based on mobile device use within and outside the organization and identify and invest in proper mitigating controls.
- Develop and enforce strong policies and procedures regarding the security and use of mobile devices.
- Invest in the right people and provide them with adequate tools to detect, investigate, and remediate threats that attack through mobile devices.
One thing I hope Vodafone is able to answer: Now that it’s acquired all of those new customers and plans to acquire more, what steps will it take to keep all of its customers secure? It’s a question that any company should be able to answer, especially before it increases its customer base.